Wildcard vs Multi-Domain Certificates: Navigating the 90-Day Lifespan Era
For years, the decision between Wildcard and Multi-Domain TLS/SSL certificates came down to a simple trade-off: the convenience of securing unlimited subdomains versus the specificity of explicitly naming each secured endpoint.
However, the landscape of public key infrastructure (PKI) is undergoing a seismic shift. With Google's impending push to reduce maximum public certificate lifespans from 398 days to just 90 days, and the industry-wide adoption of Zero Trust Architecture, the old rules of certificate management no longer apply. Manual deployments are dead, automation is mandatory, and the security implications of your certificate architecture are more critical than ever.
In this comprehensive guide, we will break down the technical differences between Wildcard and Multi-Domain (SAN) certificates, explore their inherent security vulnerabilities, and provide a definitive framework for when to use each in modern, automated DevOps environments.
The Core Definitions: Understanding the Mechanics
Before diving into security and compliance, let's establish the technical boundaries of both certificate types.
Wildcard Certificates
A Wildcard certificate uses an asterisk (*) in the domain name field to secure a base domain and an unlimited number of first-level subdomains.
For example, a certificate issued to *.example.com will successfully secure:
* api.example.com
* blog.example.com
* checkout.example.com
The Limitation: Wildcards do not traverse multiple subdomain levels. That same *.example.com certificate will throw a privacy error if applied to dev.api.example.com. To secure that, you would need a separate Wildcard for *.api.example.com.
Multi-Domain (SAN / UCC) Certificates
Multi-Domain certificates, often referred to as Subject Alternative Name (SAN) or Unified Communications Certificates (UCC), allow you to secure multiple distinct Fully Qualified Domain Names (FQDNs) under a single certificate.
Instead of a wildcard character, every domain is explicitly listed in the X509v3 Subject Alternative Name extension of the certificate. A single SAN certificate can secure:
* example.com
* example.org
* api.completely-different-domain.net
Most Certificate Authorities (CAs) limit SAN certificates to between 100 and 250 distinct domains.
The Case for Wildcard Certificates (And Their Dark Side)
Wildcard certificates have historically been the darling of IT administrators because they remove friction. If a developer needs to spin up a new staging environment, they don't need to submit a Certificate Signing Request (CSR) to the security team; they simply reuse the existing Wildcard.
When Wildcards Shine
- Dynamic SaaS Tenants: If you run a B2B SaaS platform where every new customer instantly gets a vanity subdomain (e.g.,
tenant1.your-app.com), managing a SAN certificate with thousands of constantly changing names is technically unfeasible. Wildcards allow for instant, frictionless tenant provisioning. - Edge Termination: When utilizing modern CDN and WAF providers like Cloudflare, Wildcard certificates are handled at the edge. The private key never leaves the provider's Hardware Security Modules (HSMs), mitigating the biggest risk of Wildcards.
The Dark Side: The "Blast Radius" Problem
The convenience of a Wildcard certificate is heavily outweighed by its catastrophic blast radius in the event of a breach.
1. Private Key Proliferation
To use a Wildcard certificate across fifty different servers, the corresponding private key must be copied to fifty different servers. If an attacker compromises a low-priority, forgotten staging server running an outdated OS, they don't just compromise that server. They steal the private key, granting them the ability to impersonate your production API, intercept traffic, or execute Man-in-the-Middle (MitM) attacks across your entire infrastructure. The private key becomes a "skeleton key."
2. The ALPACA Attack
The ALPACA Attack (Application Layer Protocol Confusion) is a devastating vulnerability that specifically exploits Wildcard certificates. Attackers can trick a victim's web browser into sending sensitive data (intended for a secure HTTPS web application) to a completely different service—like an FTP or IMAP email server—simply because both services share the same Wildcard certificate.
3. Single Points of Failure (SPOF)
When a Wildcard certificate expires, it doesn't just take down one application; it causes a cascading failure across every service that relies on it. The infamous Epic Games outage, which took Fortnite offline for hours, was caused by a single expired Wildcard certificate that had been manually deployed across hundreds of disparate microservices. Finding and updating every instance manually proved to be an operational nightmare.
Pro Tip: This is exactly why independent expiration tracking is critical. Even with automation, silent failures happen. Using a dedicated monitoring tool like Expiring.at ensures you get alerted before a forgotten Wildcard takes down your entire ecosystem.
The Case for Multi-Domain Certificates (And Their Hidden Risks)
Multi-Domain certificates solve the "skeleton key" problem by strictly defining exactly which endpoints are trusted.
When Multi-Domain Certificates Shine
- Strict Compliance & PCI-DSS v4.0: The latest Payment Card Industry standards mandate strict scoping of the Cardholder Data Environment (CDE). Using a Wildcard certificate across both payment subdomains (
checkout.store.com) and non-payment subdomains (blog.store.com) violates the principle of least privilege and will often trigger audit failures. SAN certificates allow you to strictly scope trust boundaries. - Legacy Unified Communications: Systems like Microsoft Exchange inherently rely on SAN certificates. Exchange requires specific FQDNs (like
mail.example.comandautodiscover.example.com) to be explicitly listed on the same certificate to function correctly. - Cross-Brand Consolidation: If your organization manages
brand-a.com,brand-b.com, andbrand-c.comon the same load balancer, a single SAN certificate efficiently secures all incoming traffic without requiring complex SNI (Server Name Indication) routing rules for multiple certificates.
The Dark Side: Information Leakage and Latency
While SAN certificates are more secure from a key-proliferation standpoint, they introduce unique operational and security challenges.
1. Certificate Transparency (CT) Log Leaks
To be trusted by modern browsers, every publicly issued TLS certificate must be logged in public Certificate Transparency (CT) logs. A SAN certificate lists all secured domains in plain text.
If your DevOps team puts www.your-brand.com and secret-unreleased-product.your-brand.com on the same SAN certificate, anyone (including competitors or attackers) can query tools like crt.sh and instantly discover your unreleased project.
2. Payload Size and Latency
A SAN certificate with 150 domains attached to it has a significantly larger file size than a single-domain certificate. During the initial TLS handshake, this entire certificate payload must be transmitted to the client. For standard web browsing, this is negligible. But for ultra-low latency APIs or high-frequency trading platforms, the bloated payload size of a massive SAN certificate introduces measurable latency.
The 90-Day Shift: Automation and the ACME Challenge
With the industry moving toward 90-day certificate lifespans, the debate between Wildcard and SAN is being overshadowed by a more pressing requirement: Automation via the ACME protocol.
Tools like Let's Encrypt and cert-manager make provisioning certificates trivial, but they require validation challenges. This is where the operational differences between Wildcard and SAN certificates become stark.
Validating Multi-Domain (SAN) Certificates: HTTP-01
SAN certificates can be validated using the HTTP-01 challenge. The ACME client (like Certbot) simply places a specific file on your web server. The Certificate Authority fetches that file over port 80. If it exists, the domain is validated. This requires zero access to your DNS infrastructure.
Validating Wildcard Certificates: DNS-01
Because an ACME CA cannot verify a wildcard via a web request (since it doesn't know which subdomain to check), Wildcard certificates strictly require the DNS-01 challenge.
This means your ACME client must programmatically create a TXT record in your DNS provider (e.g., AWS Route53, Cloudflare).
Here is an example of automating a Wildcard certificate using Certbot with the Route53 DNS plugin:
# Install the Route53 DNS plugin for Certbot
sudo apt-get install python3-certbot-dns-route53
# Request the Wildcard certificate automatically
# (Requires AWS credentials with Route53 permissions configured)
sudo certbot certonly \
--dns-route53 \
--email admin@example.com \
--agree-tos \
-d "*.example.com" \
-d "example.com"
The Security Risk: To automate this, you must give your web server API keys that allow it to modify your DNS records. If that server is compromised, the attacker can alter your DNS routing, leading to catastrophic infrastructure hijackings.
The Modern Alternative: Automated, Single-Domain Certificates
Because of the DNS-01 security risks associated with Wildcards, and the CT log leakage/payload risks associated with massive SAN certificates, modern DevOps teams are increasingly abandoning both.
The new best practice for cloud-native environments is Automated Single-Domain Certificates.
If you are using Kubernetes, for example, you can use cert-manager to automatically provision a unique, tightly-scoped certificate for every single ingress route using the safer HTTP-01 challenge.
Here is what a modern, single-domain Certificate manifest looks like in Kubernetes:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-single-cert
namespace: production
spec:
secretName: api-tls-secret
duration: 2160h # 90 days
renewBefore: 360h # 15 days
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: api.example.com
dnsNames:
- api.example.com
By issuing a unique certificate for every endpoint:
1.